Using specific directory servers as the LDAP server
Using IBM Directory Server as the LDAP server
One can choose the directory type of either IBM Directory Server or SecureWay for the IBM Directory Server. For supported directory servers, refer to the article, Supported directory services. The difference between these two types is group membership lookup. It is recommended that you choose the IBM Directory Server for optimum performance during run time. In the IBM Directory Server, the group membership is an operational attribute. With this attribute, a group membership lookup is done by enumerating the ibm-allGroups attribute for the entry, rather than selecting a group and browsing through the members list. To utilize this attribute in a security authorization application, use a case-insensitive match so that attribute values returned by ibm-allGroups are all in uppercase.
Using iPlanet Directory Server as the LDAP server
One can choose the iPlanet Directory Server or NetScape for your iPlanet Directory Server system. For supported directory servers, refer to the article, Supported directory services. The difference between the two directory server types is group membership lookup. The iPlanet Directory Server directory is selected to use with the iPlanet Directory Server new grouping mechanism only. The new grouping mechanism is called roles in the iPlanet Directory Server, and the attribute is nsRole. Roles unify entries. Roles are designed to be more efficient and easier to use for applications. For example, an application can locate the role of an entry by enumerating all the roles possessed by a given entry, rather than selecting a group and browsing through the members list. With the iPlanet Directory Server directory, WebSphere Application Server security only supports groups defined by nsRole. If you plan to use traditional grouping methods to group entries in the iPlanet Directory Server , select NetScape as the directory type.
Using MS Active Directory server as the LDAP server
To use Microsoft Active Directory as the LDAP server for authentication with WebSphere Application Server, there are specific steps take. By default, Microsoft Active Directory does not permit anonymous LDAP queries. To create LDAP queries or browse the directory, an LDAP client must bind to the LDAP server using the distinguished name (DN) of an account that belongs to the administrator group of the Windows system. Group membership search in the Active Directory is done by enumerating the memberof attribute possessed by a given user entry, rather than browsing through the member list in each group. If you change this default behavior to browse each group, you can change the Group Member ID Map field from memberof:member to group:member .
To set up Microsoft Active Directory as your LDAP server, complete the following steps.
- Determine the full DN and password of an account in the administrators group. For example, if the Active Directory administrator creates an account in the Users folder of the Active Directory Users and Computers Windows NT or Windows 2000 systems control panel and the DNS domain is ibm.com , the resulting DN has the following structure:
cn=<adminUsername>, cn=users, dc=ibm, dc=com- Determine the short name and password of any account in the Microsoft Active Directory. This password does not have to be the same account used in the previous step.
- Use the WebSphere Application Server administrative console to set up the information needed to use Microsoft Active Directory:
- Start the administrative server for the domain, if necessary.
- On the administrative console, click Security on the left navigation panel.
- Click the Authentication mechanisms tabbed page. Select Lightweight Third Party Authentication (LTPA) as the authentication mechanism.
- Enter the following information in the LDAP settings fields:
- Security Server ID: The short name of the account chosen in 2
- Security Server Password: The password of the account chosen in step 2
- Directory Type: Active Directory
- Host: The domain name system (DNS) name of the machine running Microsoft Active Directory
- Base Distinguished Name: The domain components of the DN of the account chosen in step 1. For example: dc=ibm, dc=com Bind
- Distinguished Name: The full DN of the account chosen in step 1. For example: cn=<adminUsername>, cn=users, dc=ibm, dc=com
- Bind Password: the password of the account chosen in step 1
- Click OK to save the changes.
- Stop and restart the administrative server so that changes take effect.
Using a Lotus Domino Server as the LDAP server
If you choose the Lotus Domino LDAP server version 6 and the attribute shortname is not defined in the schema, you can do either of the following:
- Change the schema to add the shortname attribute.
- Change the user ID map filter to replace the shortname with any other defined attribute (preferably to uid). For example, change person:shortname to person:uid
WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.